There is one more command that needs to be applied beyond what you have included in your post. As shown in the lesson, you must apply the ACL that you have created like this:
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip access-group 1 in
This command applies the ACL in an inbound direction on the interface. So the filtering will be applied to packets that are ingressing on the interface.
So, with this scenario, R2 has been configured to filter incoming packets on the Fa0/0 interface. It has been set up to allow only those packets with a source IP address within the 192.168.12.0/24 network. The implicit deny any statement at the end filters out all other packets. The direction you apply on the access-group command indicates whether the ACL filtering is applied on ingress or egress packets.
I don’t fully understand the question either! But I think it has to do with best practices concerning where to place standard access lists. I answered him as best I could in the following post:
Some posts discuss using Control Plane Policing and the Extended Outbound ACL to filter locally generated traffic. I’m not sure how to interpret this as I’ve been stuck on the same topic for the last ten days, and my ENCOR exam is next month.Please take the necessary action and provide a scenario.It really urgent me to finish this topic any how and see the snap it totally contradict if u read the post answered by rene on same
Transient traffic is traffic that goes through a router, but the source and destination IPs found within the packets DO NOT belong to the router itself. When H1 sends a packet to H2, it has a source address of 192.168.12.1 and a destination address of 192.168.34.4. When R2 receives this packet, since the source and destination IP addresses do not belong to R2, it will forward it along based on the routing rules. For R2, this is transient traffic. Traffic that goes through but is not destined for R2.
Locally generated traffic is traffic that the router itself creates and generates. For example, R2 may send an OSPF update to R3. The source IP address of that OSPF update is 192.168.23.2, which is R2’s IP address. It is sourced from the router R2 itself, thus it is locally generated. Similarly, R3 will receive this OSPF update and it will see that the destination address is its own. R2 will never filter this outgoing traffic since it has its own IP address as the source address in the packet, and R3 will never filter this incoming traffic because the destination address is its own.
The only way to filter traffic that is generated by the router itself, or is destined to the router itself is to use Control Plane Policing (CoPP).
Once more, why do you emphasize using an extended access list to filter locally generated traffic, and when does control plane policing become relevant?
My apologies. That post contained incorrect information. I have updated it so that it is now correct.
Control Plane Policing or CoPP becomes relevant because only with CoPP can you filter traffic that is generated by a local interface on the device itself. Otherwise, normal ACLs that are applied to interfaces will not filter any such traffic.
